MENU
AVP for Institutionalization 2018

DILG STRATEGIC DIRECTION AVP

ACG-CYBER SECURITY BULLETIN NO 145 UNDERSTANDING THE RISK OF EXPENSIVEWALL MALWARE

The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).

The information provided was classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

ExpensiveWall Malware is a type of Android malware that sends fraudulent SMS messages and charges users’ accounts for fake services without their knowledge. It is also capable of collecting data about the device such as location and IP address.

            Once ExpensiveWall Malware is downloaded, it requests several common permissions, including internet access which allows the app to connect to its C&C server and SMS permissions which enable it to send premium SMS messages and register users for other paid services all without the user’s knowledge.

            While these permissions are harmful within the context of a malware, many apps request the same permissions for legitimate purposes. Most users grant these permissions without thinking, especially when installing an app from a trustworthy source such as Google Play.

            ExpensiveWall Malware contains an interface that connects between in-app actions and the JavaScript code, which runs on a web interface called WebView, meaning JavaScript running inside the WebView can trigger in-app activities. After it is installed and granted the necessary permissions, ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI.

            ExpensiveWall Malware is currently designed only to generate profit from its victims, a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server. Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool.

RECOMMENDATION

The public are advised to follow the tips in order to avoid the risk of ExpensiveWall Malware, to wit:

  •   Do your own safety checks - Before installing a new app, read other users’ reviews to see if the app is safe and does what it claims to do. Be extra wary of “free apps” distributed through little known sites, or via links sent by email or text message.
  •   Read the permissions first - Wading through all the legalese that comes with app permissions can be tiresome, but it is well worth your while. Make sure that the app won’t invade your privacy by accessing information it doesn’t need, like your contacts, camera, or keystrokes. Pay special attention to any mention of paid services, like premium text messages, so you know what you are agreeing to.
  •   Limit your install options - Stick to using the official Google Play store or a reputable store like the Amazon App Store. (Although using the Play or Amazon stores is no guarantee that all the apps there are safe, they tend to have more users and more reviews to base your decisions on.

 For additional information, please refer to the following websites:

  • https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/
  • http://techgenix.com/expensivewall-malware/

POINT OF CONTACT

            Please contact PCINSP ANGELICA STARLIGHT L. RIVERA, Chief, Personnel Records Management Section thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 7230401 local 3562 for any inquiries related to this CYBER SECURITY BULLETIN.